Capturing packets and not missing a lot of them can be hard. If you're monitoring TLS (including SIP over TLS), you need every single packet to be able to decode it.
Many of us have a Linux server for doing our captures. There are some great tools like gulp and n2disk (among other great work on this subject from Luca Deri). But on a vanilla Linux machine, using whatever Ethernet interfaces you have, you can still do some neat stuff.
tcpdump is more efficient than tshark at raw writing to disk; e.g.,
tcpdump -s 1514 -i eth2 -w file.pcap
will tend to capture more than a similar tshark command.
(b) A busy Linux box, or high packet rate, will lose some data because tcpdump or tshark are not running all the time. You can run tcpdump at a higher priority with the "nice" command and a negative nice level:
nice --adjustment=-10 tcpdump -s 1514 -i eth2 -w file.pcap
Sometimes the disk system just cannot keep up with the rate of traffic, and the disk buffers aren't large enough. Without tuning kernel disk buffers, you can make a ramdisk. This example checks to see there's about 1660 MB of RAM doing nobody any good, and it makes a 1000 MB ramdisk using the "tmpfs" filesystem feature, and writes a big capture to it.
[root@sniffer /]# free -m
total used free shared buffers cached
Mem: 2010 1748 262 0 159 1239
-/+ buffers/cache: 349 1660
Swap: 3999 0 3999
# mkdir /tmp/ramdisk
# mount -t tmpfs -o size=1000m tmpfs /tmp/ramdisk/
# nice --adjustment=-10 tcpdump -s 1514 -i eth2 -w /tmp/ramdisk/ecg_sniffer_eth2_20180321.pcap
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 1514 bytes
1199062 packets captured
1199075 packets received by filter
0 packets dropped by kernel
ECG would be glad to help with your Voice and Video Network Engineering, and 24x7 customer support. Ping us to learn more.